[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HTTP intercept, with a twist

To: Harald Tveit Alvestrand <harald@alvestrand.no>
Subject: Re: HTTP intercept, with a twist
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Fri, 07 Nov 2003 17:48:36 -0500
Cc: iesg@ietf.org, iab@ietf.org
In-reply-to: Your message of "Fri, 07 Nov 2003 13:06:44 PST." <178639720.1068210404@[192.168.1.44]>

In message <178639720.1068210404@[192.168.1.44]>, Harald Tveit Alvestrand write
s:
>Router vendor inspired by Verisign?
>
><http://www.theregister.co.uk/content/69/33858.html>
>

A new form of evil...  To me, that's a monkey-in-the-middle attack.  
It's also a very good reason to tunnel one's http traffic to somewhere 
beyond the reach of such nonsense.

I'm going to do what I can to publicize this, in the hope that they 
take a *big* financial hit from having to recall those units.  These 
people are slime.  Verisign could at least argue that they were only 
intervening in an error situation.

I also wonder how they do the opt-out.  Is their server resetting some 
config flag in the "router"?  With what security?  Or does the Belkin 
URL always go to their site, with the real URL tagged along?  In that 
case, they're eavesdropping on communications.

		--Steve Bellovin, http://www.research.att.com/~smb

References:
- HTTP intercept, with a twist
  - From: Harald Tveit Alvestrand <harald@alvestrand.no>

Prev by Date: Re: [Gen] Re: Thinking about adding a new person to the IESG
Next by Date: FW: More Peter Lewis spam
Previous by thread: HTTP intercept, with a twist
Next by thread: Re: HTTP intercept, with a twist
Index(es):
- Date
- Thread